OIDC

Outline supports all OIDC-compatible authentication providers and automatic discovery out of the box.

Automatic discovery

Using automatic discovery Outline will expect to find a /.well-known/oidc-disovery file on the server at your issuer URL and will configure the rest of the settings on startup.

  • OIDC_ISSUER_URL – The URL of your OIDC server

  • OIDC_CLIENT_ID – OAuth client ID

  • OIDC_CLIENT_SECRET – OAuth client secret

Manual discovery

You can also provide the OIDC configuration manually as environment variables; the following values are all required if configuring manually:

  • OIDC_CLIENT_ID – OAuth client ID

  • OIDC_CLIENT_SECRET – OAuth client secret

  • OIDC_AUTH_URI

  • OIDC_TOKEN_URI

  • OIDC_USERINFO_URI

Optional setup

Note, one of the following should be set or it will be very difficult for users to logout correctly:

  • OIDC_DISABLE_REDIRECT – If set, will prevent Outline from automatically redirecting to the OIDC provider

  • OIDC_LOGOUT_URI – A url that the client will be redirect to post-logout

The following configuration is optional:

  • OIDC_USERNAME_CLAIM – Supports any valid JSON path with the JWT payload (preferred_username by default)

  • OIDC_DISPLAY_NAME – The text that should be displayed on the login button (OpenID by default)

  • OIDC_SCOPES – The scopes to request (openid profile email by default)

Examples

OIDC providers will often publish the correct values for these at the “.well-known” url, some examples that could be used to sign-in to Outline using this method include: